Manage file observables

Manage file observables provides stringent security measures to store the suspicious files and enables the files type observables for sandbox integration.

About this task

You can create and view file type observables for a security incident. The suspicious files which are part of the observables are stored in a specific location, which can be accessed by the security analyst to download the file only with a specific role.

Role required: sn_ti_malicious_attachment_access (upload)

Upload the file type observables:

Automatically: When the security incidents are created for the phishing emails, the attachments in the phishing email are created as file type observables.
Manually: A security analyst can also upload the suspicious files to create file type observables.

Procedure

Navigate to a security incident.
Select Observables from the Show All Related Lists tab.

If there are any attachments in the phishing email, then by default those attachments are created as file type observables in the corresponding security incident. Each attachment is created as two observables such as file type and file hash observable.

To upload the secure attachments manually:

Click Upload Secure Attachment.
On the Upload Secure Attachments, Click Choose file to upload one or more files. Each file is considered as a single observable record.
Click Create File Observables to create the file type observables such as one is the file type and other one is the file hash which is a unique identifier.

This image describes the file contents of the observables. — Figure 1. File type observables

Select the file type observable to process for further integrations such as sandbox, threat lookup. In addition, you can also download the attachments from the file type observable.

Note:

The threat lookup (VirusTotal) retrieves the file from the secured attachments for the new file type observables and the below system properties are not applicable for the new file type observables.

sn_ti.scan.delete_attachment_after_hash
sn_ti.scan.use_file_hash

For a quick reference, the file type observable is mapped as a child to the hash observable and hash observable is mapped as a child to file observable.

If the phishing email attachments are exceeding more than the defined size then the observables are not created. You must modify the system properties to support the larger size files.

Table 1. File size system properties
System property	Description
glide.email.inbound.max_total_attachment_size_bytes	If you are forwarding the phishing email directly, use this system properties value to increase the file size from 18MB to a desired file size.
com.glide.attachment.max_get_size	If you are forwarding the phishing email as an attachment, use this system property value to create the below system properties under global scope to increase the file size from 5MB to the desired size.

You can also create a new file type observable as follows:
- Click New.
- Select the Observable type Category: File
- Click Upload button to attach a file.

Manage file observables

Manage file observables provides stringent security measures to store the suspicious files and enables the files type observables for sandbox integration.

About this task

Role required: sn_ti_malicious_attachment_access (upload)

Upload the file type observables:

Automatically: When the security incidents are created for the phishing emails, the attachments in the phishing email are created as file type observables.
Manually: A security analyst can also upload the suspicious files to create file type observables.

Procedure

Navigate to a security incident.
Select Observables from the Show All Related Lists tab.

If there are any attachments in the phishing email, then by default those attachments are created as file type observables in the corresponding security incident. Each attachment is created as two observables such as file type and file hash observable.

To upload the secure attachments manually:

Click Upload Secure Attachment.
On the Upload Secure Attachments, Click Choose file to upload one or more files. Each file is considered as a single observable record.
Click Create File Observables to create the file type observables such as one is the file type and other one is the file hash which is a unique identifier.

Select the file type observable to process for further integrations such as sandbox, threat lookup. In addition, you can also download the attachments from the file type observable.

Note:

The threat lookup (VirusTotal) retrieves the file from the secured attachments for the new file type observables and the below system properties are not applicable for the new file type observables.

sn_ti.scan.delete_attachment_after_hash
sn_ti.scan.use_file_hash

For a quick reference, the file type observable is mapped as a child to the hash observable and hash observable is mapped as a child to file observable.

If the phishing email attachments are exceeding more than the defined size then the observables are not created. You must modify the system properties to support the larger size files.

Table 1. File size system properties
System property	Description
glide.email.inbound.max_total_attachment_size_bytes	If you are forwarding the phishing email directly, use this system properties value to increase the file size from 18MB to a desired file size.
com.glide.attachment.max_get_size	If you are forwarding the phishing email as an attachment, use this system property value to create the below system properties under global scope to increase the file size from 5MB to the desired size.

You can also create a new file type observable as follows:
- Click New.
- Select the Observable type Category: File
- Click Upload button to attach a file.

How search works:

Topics are ranked in search results by how closely they match your search terms

Manage file observables

Manage file observables

On this page

Manage file observables

Manage file observables

Log in to personalize your search results and subscribe to topics